Home > database >  Is a python socket connection safe?
Is a python socket connection safe?

Time:11-16

I have built a python script that uses python socket to build a connection between my python application and my python server. I have encrypted the data sent between the two systems. I was wondering if I should think of any other things related to security against hackers. Can they do something that could possibly steal data from my computer.

thanks in advance for the effort.

I have encrypted the data sent between the two systems.

CodePudding user response:

If the data is encrypted using a good decryption (AES for example) and the decryption is key is send safely your data is safe. The only other thing I can think about is adding a password or another authentication before accepting data sent to you via socket.

Edit: If you keep the connection open, it's always a good sign to create authentication method so random people won't be able to send you random data.

CodePudding user response:

Encryption is generally a good step, but there are still some subtle concerns, e.g.:

  • An attacker can capture an encrypted message and replay it by resending the ciphertext without knowing the encryption key. If it causes a command (such as turning on a lamp or coffee machine, rebooting, etc) the attacker can rerun the command.
  • Similarly, certain types of encryption are vulnerable to an attacker piecing together pieces of ciphertexts to create a frankenmessage that will decrypt properly (e.g. with AES-ECB).
  • Your handshake (per your comment) seems to be more security-by-obscurity than a reviewed means of security.

There are off-the-shelf protocols, like the well-known TLS, that provide fairly comprehensive protection. If you can easily add this layer to your sockets (even with hardcoded, self-signed certificates that you distribute to both machines and verify) you already gain significant security over DIY encryption.

There are other theoretical risks, such as an attacker taking advantage of buffer overflow issues to try to gain remote control of the server. Python 3 is generally a good language as far as memory safety, but it's a good idea to make sure that your libraries and machine stay up to date.

If your threat model isn't concerned about this, then you're likely fine. Further, if this is a personal project, you may even want to try to deploy it, and then break into it yourself (knowing everything other than the encryption key) as a further learning exercise.

  • Related